Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2324
Views
10
Helpful
2
Replies

ACI - L4 - L7 insertion - Simple design

Go to solution
ju.mahieu
Level 1
Level 1

‎06-30-2017 12:57 AM - edited ‎03-01-2019 05:16 AM

Hi,

I'm currently running the 2.1(1h) in production with 9936 Spine / 93xxx-EX.

For a specific tenant, my customer wants to filter traffic between each vlan through an external firewall as you can see attached.

I would like to find the easiest way to do that in ACI.

Notes :

- Firewall is a physical cluster

- No device package available

- Satic routing between ACI and the Firewall (L3 out)

- Vlan/EPg gw in ACI


Do you have any advices about this kind of design (Unmanaged mode, Pbr...) ?

Regards,

Ju

1 person had this problem
Labels:
Preview file
96 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Williams
Level 1
Level 1

‎06-30-2017 08:51 AM

Ju, 

It is unlikely that you will be provided a design recommendation from the support forum community. The Cisco Advanced Services team would be able to able to provide that service. 

In regards to L4-L7, it best to read through the Service Graph Design White Paper (below). The paper covers designs for firewalls in Go-To (routed) and Go-Through (Bridged) mode along with bridge domain and VRF best practices. 

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html

For managed vs unmanaged, it depends on if you want to only force traffic to the firewall as opposed to ACI deploying all configuration onto the device. If no device package is available for your firewall, then your only option would be to try unmanaged mode. 

If you want to look into PBR, then I would suggest the guide below. 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211_chapter_01001.pdf

Jason 

View solution in original post

2 Replies 2

Go to solution
Jason Williams
Level 1
Level 1

‎06-30-2017 08:51 AM

Ju, 

It is unlikely that you will be provided a design recommendation from the support forum community. The Cisco Advanced Services team would be able to able to provide that service. 

In regards to L4-L7, it best to read through the Service Graph Design White Paper (below). The paper covers designs for firewalls in Go-To (routed) and Go-Through (Bridged) mode along with bridge domain and VRF best practices. 

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html

For managed vs unmanaged, it depends on if you want to only force traffic to the firewall as opposed to ACI deploying all configuration onto the device. If no device package is available for your firewall, then your only option would be to try unmanaged mode. 

If you want to look into PBR, then I would suggest the guide below. 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211_chapter_01001.pdf

Jason 

Go to solution
ju.mahieu
Level 1
Level 1
In response to Jason Williams

‎06-30-2017 09:51 PM

Thank you Jason for your reply.

I will discuss about this topic with my Cisco representative.

Regards
Ju

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License